Post by: mjr152005 on June 02, 2005, 10:33:31 AM
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />? too small!) with 11.7 GB of free space. I have a dedicatited internet conection. My opporating system is Windows 2000 SP4 (WinNT 5.00.2195). Here is My HijackThis Log File:Logfile of HijackThis v1.99.1
Scan saved at 9:50:46 AM, on 06/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\system32\ias\psybnc\FireDaemon.EXE
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\ias\psybnc\ptask.exe
C:\WINNT\system32\regsvc.exe
C:\winnt\system32\dllcache\FireDaemon.EXE
C:\WINNT\system32\rs.exe
C:\WINNT\system32\dllcache\runbatch.exe
C:\WINNT\system32\spool\PRINTERS\spools.exe
C:\WINNT\system32\dhcp\ubot\FireDaemon.EXE
C:\WINNT\system32\dhcp\ubot\etask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\LXSUPMON.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\dhcp\csrss.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\coleapi.exe
C:\WINNT\system32\Services\{50231C21-55CB-49D9-B4BF-968A5D9E4651}\SVCHOST.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\win32.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\cidaemon.exe
C:\Download\hijackthis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockadeHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINNT\system32\smiehlp.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\MSDXM.OCX
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Service Host] C:\WINNT\system32\Services\{50231C21-55CB-49D9-B4BF-968A5D9E4651}\SVCHOST.EXE
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKLM\..\RunServices: [vccacA] sdaxzl.exe
O4 - HKLM\..\RunServices: [Halflife] halflife2.exe
O4 - HKLM\..\RunServices: [Spools] Spools.exe
O4 - HKLM\..\RunServices: [windll32] windll32.exe
O4 - HKLM\..\RunServices: [HidDll32] HidDll32.exe
O4 - HKLM\..\RunServices: [lMAPl] lMAPl.EXE
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Spools] C:\WINNT\system32\spool\PRINTERS\spools.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [hBu9RkG5X] coleapi.exe
O4 - HKCU\..\Run: [wupd] C:\WINNT\system32\win32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {483912CF-8995-4434-AD61-6163756E05DF} (AXTNS Control) - http://download.livemath.com/activex/AXTNS.ocx (http://\"http://download.livemath.com/activex/AXTNS.ocx\")
O16 - DPF: {527196A4-B1A3-4647-931D-37BA5AF23037} - http://69.50.171.170/traff/1/open.exe (http://\"http://69.50.171.170/traff/1/open.exe\")
O21 - SSODL: System - {0EDA5946-4C68-47D6-B836-9FA3C4998C81} - vr_sys.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: FireDaemon Service: bnc (bnc) - Unknown owner - C:\WINNT\system32\ias\psybnc\FireDaemon.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: fxSVC (fxScanner) - Unknown owner - C:\WINNT\fxsvc.exe (file missing)
O23 - Service: iwhift - Unknown owner - \\66.115.215.125\admin$\halflife2.exe" -service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: FireDaemon Service: ntsysvers (ntsysvers) - Unknown owner - C:\winnt\system32\dllcache\FireDaemon.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: FireDaemon Service: runbatch (runbatch) - Unknown owner - C:\winnt\system32\dllcache\FireDaemon.EXE
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\rs.exe" /service (file missing)
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\nt\cache1\rotr.exe
O23 - Service: Spools Print spol (Spools) - Unknown owner - C:\WINNT\system32\spool\PRINTERS\spools.exe
O23 - Service: FireDaemon Service: ubot (ubot) - Unknown owner - C:\WINNT\system32\dhcp\ubot\FireDaemon.EXE
Can anyone help me please. I'm sorry but after about noon today I can't reply until next Thursday morning, since my dad and I are Campground hosts and are back home for our weekly stop. But please help me and I'll try what anyone suggests. My cousin's husbund is not avalible to help me, so here I am. Once again please help. Thanks in advance, Bye!
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: Cretemonster on June 03, 2005, 09:04:25 AM
I dont advise using this PC to get on the Internet!!!
Let me know when you are ready!
Post by: Majika on June 15, 2005, 05:34:41 AM
The first tool which enables the FTP Server and IRCBot to autostart everytime the OS reboots is called "FireDaemon" Click here to Learn How To Uninstall Firedaemon (http://\"http://www.firedaemon.com/manual/#_Toc80616706\")
Not only are you infected but you are unknowingly carrying out the hackers dirty work for them.
I will explain, After the hackers have gained access to your system (probabaly R00t access) they will upload the payload of various tools and stuff. Also inc. is a device that will scan other vulnerable PC's/Victims from your PC the scan device has probabaly been renamed to "fxSVC.exe" [This scanner in particer scans for IIS vulns and then when found week NT pass it then either reports this back the the hacker or trys to gain access to that machine]
/ph34r.gif\' class=\'bbc_emoticon\' alt=\':ph34r:\' /> System restore will be no good since a clever script kiddie would have taken this into account.
---------------------------------------------------------------------------------------------------------------------------------
Follow these Steps:-
1) Delete all keys forund in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
-Make sure you ONLY del. progs/apps/*.exe,*.bat (any other executable extension) that is in the registry keys above.
/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' /> -----------------------------------------------------------------------------------------------------------------------------------
Delete these files/directorys (when stated)
2 ) Delete these files :-
C:\WINNT\system32\rs.exe <- Delete this file
C:\WINNT\system32\dhcp\ubot <- delete this directory + everything init.
C:\winnt\system32\dllcache\FireDaemon.EXE <- Delete this file
C:\WINNT\fxsvc.exe <- Delete this file
C:\WINNT\system32\ias\psybnc\FireDaemon.EXE <- Delete this file
----------------------------------------------------------------------------------------------------------------------------------------
3 ) Check your Win.ini, Startup folder, Autoexec.bat for refferences to other *.bat/ *.exe files that you cant account for. or point to the files I asked you to delete above.
/ph34r.gif\' class=\'bbc_emoticon\' alt=\':ph34r:\' /> ----------------------------------------------------------------------------------------------------------------------------------------
- A AVirus scan would probabaly be ineffective because your system is already infected also the same goes for your FWall software. Info/data will still be passed through to the hacker/skript kiddie who has infected you.
- To be honest with you mate, it would be easier if you did a full format on the infected PC and other PC's on your network with is connected to this PC in question.
- Backup all NON-executable files and html etc. File that could have also been infected as a secondary measure the script kiddie might have implimented durring his attack of your PC.
ONLY Backup files like *.txt, *.mp3, *.wav, *.iso, *.bin, *.rar, *.zip (there are more )
then insert your OS disk and from the prompt/bootdisk do:-
FORMAT C:\
Follow Onscreen Instructions.
Wait for an hour or so to do fresh install of OS.
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> ----------------------------------------------------------------------------------------------------------------------------------------
Remember the moral of this story is Never, Never install files you dont know who sent you them, Keep off IRC, P2P, etc if you dont know what ya really doing and make sure you know the websites you are visiting. Insatll AVirus (makes you feel like your protected when you are not) and Firewall software (again makes it that little bit harder for the script Kiddie/Hacker to operate their servers/mallicious nasties)
4 ) Script Kiddies usally use your NT Shares/ Netbios to gain access to your PC so disable your Network shares (Admin$ Print$ Network Drives E$~ Z$ ) You can do this by going to the cmd prompt ant typing NET STAT and going from there...
/ph34r.gif\' class=\'bbc_emoticon\' alt=\':ph34r:\' /> 5 ) Keep away form downloadable cracks and stuff you find on the net - This is another place for infected crap to enter your system
Check out My Site for loads more tips and hints ThE RoGuEUniT Kr3W (http://\"http://www.rogueunit.co.uk\") This is a great place for the info you will require and resources to tools to help fix ya PC. Site is being updated so please call back every few days